Verifying Robust Unlearning: Probing Residual Knowledge in Unlearned Models
This addresses security and privacy issues in machine unlearning for users and regulators, representing a novel verification approach rather than an incremental improvement.
The paper tackles the problem of residual knowledge persisting in machine unlearning models, which can be exploited by adversaries, and introduces the Unlearning Mapping Attack (UMA) as a verification framework that shows existing techniques remain vulnerable even when passing current metrics.
Machine Unlearning (MUL) is crucial for privacy protection and content regulation, yet recent studies reveal that traces of forgotten information persist in unlearned models, enabling adversaries to resurface removed knowledge. Existing verification methods only confirm whether unlearning was executed, failing to detect such residual information leaks. To address this, we introduce the concept of Robust Unlearning, ensuring models are indistinguishable from retraining and resistant to adversarial recovery. To empirically evaluate whether unlearning techniques meet this security standard, we propose the Unlearning Mapping Attack (UMA), a post-unlearning verification framework that actively probes models for forgotten traces using adversarial queries. Extensive experiments on discriminative and generative tasks show that existing unlearning techniques remain vulnerable, even when passing existing verification metrics. By establishing UMA as a practical verification tool, this study sets a new standard for assessing and enhancing machine unlearning security.